Get Started with Agent Correlation Identifier 

Agent Correlation Identifier allows you to merge unauthenticated and authenticated vulnerability scan results from scanned IP interfaces and agent VM scans for your cloud agent assets. The Agent Correlation Identifier is supported for VM only and is detected by QID 48143 “Qualys Correlation ID Detected”.

For more information on merging unauthenticated and scan agent results, visit our blog and watch video!

NoteQualys does not recommend enabling this feature on any host with any external facing interface.

Prerequisites

The Agent Correlation Identifier feature must be available on your Qualys Cloud Platform.

- Your agent hosts must have the minimum Cloud Agent version: Windows Agent version 4.2 or later | Linux Agent version 3.1 or later

- The agent configuration profile must have the Agent Scan Merge option enabled. See steps below to learn how to enable this option in the Cloud Agent UI.

- By default, the following TCP ports must not be blocked: 10001, 10002, 10003, 10004, 10005. You can customize the list of ports in the Configuration Profile in Cloud Agent. The ports listed will be included in your vulnerability scans automatically when the agent correlation identifier option is accepted. We’ll add these ports to the scanned ports list.

- Your vulnerability scans must include Information Gathered QID 48143 “Qualys Correlation ID Detected”. A Full vulnerability scan will include this QID by default. If you run a custom scan using a search list, then you’ll need to make sure this QID is included. Add the QID to a search list and add the search list to the scan option profile under Vulnerability Detection: Custom.

- Make sure that agentid-service is running on the agent and listening on the port.

What are the steps?

Follow the steps below to start using the Agent Correlation Identifier.

In Cloud Agent:

1) Toggle ON the Enable Agent Scan Merge for this profile option in the configuration profile. Choose Cloud Agent from the app picker, then go to Agent Management > Configuration Profiles. Create a new profile (or edit an existing profile) and select this option.

If you toggle Bind All to ON, the service tries to connect to all the listed ports. Else service just tries to connect to the lowest free port among those specified. For Window’s agent version below 4.6, it opens these ports on all network interfaces like WiFi, Token Ring, Ethernet, Optical LAN. For Windows agents 4.6 and later, you can configure Windows agent to bind to an interface which is connected to the approved network.

Configure Agent Scan Merge

In Vulnerability Management:

2) (Manager primary contact) Go to Assets > Setup > Asset Tracking & Data Merging. On the Unique Asset Identifiers tab, scroll down to Agent Correlation Identifier and select the option Accept Agent Correlation Identifier.

Asset Tracking and Data Merging Setup

3) Go to Scans > Option Profiles. Create a new option profile (or edit an existing profile) and make sure the scan is a Full scan or Custom scan with QID 48143 added.

4) Run new vulnerability scans to start gathering data for QID 48143.

Troubleshooting

Click the links below for help with troubleshooting.

Troubleshooting Unauth Merge for WindowsTroubleshooting Unauth Merge for Windows

Correlation logs for Windows

Log Location: C:\ProgramData\Qualys\QualysAgent\Correlation\Resources\logs\agentid.txt

Example: agentid-2021-01-07T06-31-17.992.log.gz

Check running process: Go to Task Manager and search 'agentid-service.exe' process.

Process: agentid-service

After logs exceed 10MB threshold, the logs are rolled, compressed and archived with log name and current UTC time appended. This process continues for 5 rotations.

Correlation artifacts for Windows

Artifact Location: C:\ProgramData\Qualys\QualysAgent\Correlation

Unsupported Platforms for Windows

- Windows XP

- Windows Server 2003


Troubleshooting Unauth Merge for LinuxTroubleshooting Unauth Merge for Linux

Correlation logs for Linux

Log location: /var/log/qualys/agentid.log

If user has relocated the log directory, then agentid.log will also be stored there.

Example: agentid-2021-01-07T06-31-17.992.log.gz

Check running process: Run ps -aux | grep agentid-service command.

Process: agentid-service

After logs exceed 10MB threshold, the logs are rolled, compressed and archived with log name and current UTC time appended. This process continues for 5 rotations.

Correlation artifacts for Linux

Artifact Location: /usr/local/qualys/cloud-agent/correlation/manifests

Unsupported Platforms for Linux

- CentOS 5.x

- Red Hat 5.x

- Suse 10.x

- MacOS

- AIX